Skip to content
Permalink
Browse files
use token in invoice delete route (#2889)
  • Loading branch information
kevinpapst committed Oct 30, 2021
1 parent 40061e4 commit 1d32e4ecee44a11d7eb8c6ede6385cb79a449d87
@@ -17,15 +17,15 @@ class Constants
/**
* The current release version
*/
public const VERSION = '1.15.6';
public const VERSION = '1.16.0';
/**
* The current release: major * 10000 + minor * 100 + patch
*/
public const VERSION_ID = 11506;
public const VERSION_ID = 11600;
/**
* The current release status, either "stable" or "dev"
*/
public const STATUS = 'stable';
public const STATUS = 'dev';
/**
* The software name
*/
@@ -36,6 +36,8 @@
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Csrf\CsrfToken;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;

/**
@@ -253,10 +255,18 @@ public function changeStatusAction(Invoice $invoice, string $status, Request $re
}

/**
* @Route(path="/delete/{id}", name="admin_invoice_delete", methods={"GET"})
* @Route(path="/delete/{id}/{token}", name="admin_invoice_delete", methods={"GET"})
*/
public function deleteInvoiceAction(Invoice $invoice): Response
public function deleteInvoiceAction(Invoice $invoice, string $token, CsrfTokenManagerInterface $csrfTokenManager): Response
{
if (!$csrfTokenManager->isTokenValid(new CsrfToken('invoice.delete', $token))) {
$this->flashError('action.delete.error');

return $this->redirectToRoute('admin_invoice_list');
}

$csrfTokenManager->refreshToken($token);

try {
$this->service->deleteInvoice($invoice);
$this->flashSuccess('action.delete.success');
@@ -37,6 +37,6 @@ public function onActions(PageActionsEvent $event): void
}

$event->addAction('download', ['url' => $this->path('admin_invoice_download', ['id' => $invoice->getId()]), 'target' => '_blank']);
$event->addDelete($this->path('admin_invoice_delete', ['id' => $invoice->getId()]), false);
$event->addDelete($this->path('admin_invoice_delete', ['id' => $invoice->getId(), 'token' => $payload['token']]), false);
}
}
@@ -6,7 +6,7 @@

{% macro invoice(invoice, view) %}
{% import "macros/widgets.html.twig" as widgets %}
{% set event = actions(app.user, 'invoice', view, {'invoice': invoice}) %}
{% set event = actions(app.user, 'invoice', view, {'invoice': invoice, 'token': csrf_token('invoice.delete')}) %}
{{ widgets.table_actions(event.actions) }}
{% endmacro %}

@@ -353,7 +353,8 @@ public function testCreateActionAsAdminWithDownloadAndStatusChangeAndDelete()
$client->followRedirect();
$this->assertTrue($client->getResponse()->isSuccessful());

$this->request($client, '/invoice/delete/' . $id);
// this does not delete the invoice, because the token is wrong
$this->request($client, '/invoice/delete/' . $id . '/fghfkjhgkjhg');
$this->assertIsRedirect($client, '/invoice/show');
$client->followRedirect();
$this->assertTrue($client->getResponse()->isSuccessful());

0 comments on commit 1d32e4e

Please sign in to comment.